The SystemBC botnet now controls more than 10,000 IP addresses worldwide, despite disruption by law enforcement as part of Operation Endgame in 2024, Silent Push reported Wednesday.SystemBC, also known as Coroxy or DroxiDat, has been active since approximately 2019 and uses infected devices as SOCKS5 proxies for malicious activity.The botnet is often leveraged in intrusions that lead to ransomware attacks, and devices infected with SystemBC malware have also been subject to follow-on attacks with additional malware payloads, Silent Push noted.Silent Push researchers developed a fingerprint to track SystemBC activity in 2025 and have since identified more than 10,340 unique victim IP addresses controlled by the botnet.The largest proportion of compromised IP addresses are from the United States, with more than 4,300, followed by Germany with 829, France with 448, Singapore with 419 and India with 294.The researchers also discovered compromised IP addresses tied to government networks in Vietnam and Burkina Faso, marking a potential infiltration of government-linked infrastructure.
Related reading:
The botnet remained consistently active, with about 2,888 associated IP addresses observed daily, and SystemBC infections persisted for about 38 days on average, sometimes last more than 100 days.SystemBC’s developer, who goes by the alias “psevdo,” continued to post updates about the botnet malware on Russian-speaking cybercrime forums post-Operation Endgame, highlighting the operation’s continued activity and development despite the disruption.The malware’s continued evolution is also evidenced by the emergence of a new Perl variant, which was uploaded to VirusTotal in August 2025 with no detections across 62 antivirus solutions.This variant, designed to infect Linux machines, was tied to two ELF droppers — SafeObject and StringHash — which drop 264 embedded SystemBC payloads into writable directories on infected machines, including the ELF and Perl variants, SilentPush said.SystemBC mainly incorporates IP addresses originating from hosting providers rather than residential networks. The operation’s own command-and-control (C2) infrastructure is hosted by bulletproof hosting providers BTHoster and BTCloud.A report by Lumen Technology’s Black Lotus Labs in September 2025 found that commercial virtual private servers (VPSs) were being heavily targeted for SystemBC infection through vulnerability exploits.Recently, many IP addresses tied to SystemBC have been reported on VirusTotal in connection with WordPress exploitation, suggesting the botnet is being leveraged in widespread attacks against WordPress sites.Silent Push encourages organizations to actively monitor SystemBC indicators of compromise (IoCs), including known IP addresses and malware file hashes, noting the botnet’s historical connection to ransomware attacks.“We believe SystemBC remains an active threat to major enterprises and expect the Tactics, Techniques, and Procedures (TTPs) of the multiple threat actors leveraging this malware to continue evolving indefinitely,” Silent Push’s report concludes.
Threat Management, Threat Intelligence, Ransomware, Malware, Endpoint/Device Security
More than 10,000 IPs hijacked by SystemBC botnet

An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



